New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Even if he had, he wouldn't be able to tell you about it.
The "Warrant Canary" idea is untested in courts and there is considerable skepticism that it is legal.
True, not entirely. You might have enemies looking to take you down by leaking your browsing history to your favorite [redacted] fetish.
Not entirely true. When governments can store exabytes+ of data indefinitely on every human, they have an incredible permanent, personal record of everything you've ever done. Every place you've ever gone (thank you cell phone towers!), every site you've been to, things you've bought, library books you've checked out, etc.
With this information comes tremendous power.
like i said, with all those data they aint giving shit if you're just a loser.
they can store your data, but it will be just another joke of "idle vps".
we are just nobody, dude.
if they could explore the galaxy out there, there's no reason they aint spying your bedroom or eavesdropping whatever you do in the bathroom with the vibrator.
they own the law mate. its checkmate.
It's time to move beyond this kind of thinking, and I think when you understand my reasoning you'll agree.
This idea that you can move around from country to country and be "safe" for a period of time is, in my opinion, about as safe as standing on quicksand. At best you shift around the "how" but not the "what."
The US has controlling stakes in every aspect of the open internet. They don't need cooperation from governments, it just makes it easier. If they need to go the route of economic pressure they gladly will. Make no mistake they're already in your backyard: https://www.theguardian.com/us-news/2020/feb/11/crypto-ag-cia-bnd-germany-intelligence-report
If they're not, then they're beating the drums of war against you and the clock is ticking on the next iteration of their relations which could change any day without notice. Russia isn't cooperative with US intelligence, and we've been beating around the bush on going to war for a very long time. But then just not cooperating with the US doesn't mean safety. Just ask a Russian journalist that doesn't like Putin, if they haven't disappeared yet. Not to bash Russia I just don't think they're "safer" but rather a competing entity and that means they have their own interests and enemies to the same end.
You need to assume that if one of the major superpowers finds you interesting, your location and the location of your data will be irrelevant. This is the only sane thought process that aligns with reality. Ask Kim Dotcom how safe he was from the US in New Zealand when he got raided. That's the reality.
Outside of that...
Having something to hide isn't bad. It doesn't mean you're doing objectively "bad" things. Hell, these days it may just mean you have unpopular opinions. But you need to know how and when to compartmentalize. You can't realistically have an online service provider that fits the needs of "I need to send an invoice to my customers and track their delivery" and "I need everything to be self destructing with no logs retained on a server that explodes at midnight if the provider gets captured by intelligence agencies."
For every job you pick the right tool. I would argue that if you keep a suicide pill in your pocket and need to ensure that all of your communications are never accessible by anyone ever, to prevent any government from ever learning what you know, then what you know shouldn't be stored on any of these third party servers in locations you don't control. If it's of that high value why in the world would you gamble on some random party, or anyone who might acquire them or gain authority over them at any point in the future? That's just not sane. Snowden made a weird choice there and after what Ladar went through no one else wants to live that life under peaceful times.
We probably all have accounts at Gmail and Protonmail. I think we all know which one to use for what thing. We probably all also have things stored with nether. You know where to draw lines and where things belong based on their individual values. Teach others the same.
It's hard to assume what all the variables might be of such a theoretical scenario but I can tell you what I'd want to do. I'd want to move the data and tell the court to go fuck itself. If I couldn't, I'd want to wipe the data and inform customers that I'd been acquired by the government for $0 at gunpoint. If I couldn't even do that, I'd probably want to publish the existence of the backdoor and watch the world explode while I escaped with my family to Mexico.
But not everything is an action movie starring Liam Neeson. It's nice to imagine that you'd be this freedom fighter in a killdozer but the governments aren't going to let you gain that kind of reputation. They'll paint you as a terrorist, plant child porn on you, and most of the world will cheer as they gun you down on live television at your front door for daring to stand in their way.
Just don't try to put me in the situation where I'm counting my bullets thanks to your emails. Compartmentalize like I talked about above. I'm your generic email provider with a strong focus on challenging the market on pricing and outbound delivery. There's some additional privacy inherent in simply using an email provider that values things like not selling customer data but the servers aren't all in my house where I stand next to it with a loaded gun 24/7, so don't store things on it that you think should be stored in a place where that's true.
Lavabit was a US company. Ladar doesn't live far from me. He protected Snowden and he's alive and well. Take from it what you will but if you can't make an argument against data safety in any country along these same lines, I think it's because you're not trying. Follow investors, holding companies, upstream providers, etc. If you find some internet connected company that can't be traced back to the US through any potentially controlling path, then it's likely just under the jurisdiction of a competing regime with it's own issues that are likely similar in scope.
This remains true. To date there is nothing to report. No challenges, no law enforcement requests.
I would but if we're talking interest from intelligence agencies and I'm the next unwilling Assange, who knows who will be speaking for me while I'm in gitmo 😂
Yes, that. Plus one must keep in mind how they tick, in particular (a) 'grab first, sort later', and (b) what if something that looks irrelevant later turns out to be highly interesting and/or relevant?
@creep
No, wrong. Read raindog308's post again. If you were right they wouldn't need a capacity that allows them to store data in the MB range for each and every person on earth. Of course that's unlikely and probably they eavesdrop/spy/collect data "only" on about a couple of hundred million to maybe half a billion people but certainly 80% to 90% of those people would describe themselves as "just a nobody".
WHAT ARE YOU HIDING?? Blink if there is something wrong!
The movie suddenly fast-forwards.
@Jar wakes up in a seedy hotel room. He has no memory. Two dead bodies lie on the floor. He realizes he has a pistol in his hands. Sirens sound in the distance.
On pure instinct, he leaps from the bathroom window, does a half-dozen parkour moves, and lands next to an unoccupied car. He quickly jimmies the door, hotwires the ignition, and speeds away. It's only as he's accelerating through traffic at 120mph that he wonders where he learned to hotwire cars.
And what is this USB port in his forearm?
And when did he start smoking?
@jar
Yes, I indeed largely agree (with the part addressing me). But then experience shows again and again that most people (incl. most here at LET, sorry) know frighteningly little about IT-Sec and also most people don't care much (besides being angry for half an hour when they hear about the newest scandal), so one must put it short and crispy for them (as I think I did).
Btw, in a way adding to your point, when I read this thread's title I immediately thought "So, what?" because email is among the most vulnerable forms of communication anyway. Much (most?) still is transported via open channels anyway (maybe I encrypt my mail server connection but does the provider run his and does the other side run his connection encrypted too?) plus there are multiple systems involved and hence there are multiple attack surfaces and many vectors.
I'm not angry about email not being secure. I'm angry about judges utterly and in open daylight ignoring basic legal principles (set forth e.g. in the constitution).
USB? Tsts ... real Jason Bournes have invisible field-effect ports ...
Don't forget you can encrypt your email with any provider as well. Independent encryption puts it all in your hands while a third party stores it for you.
But no one else wants to converse with you that way and the CIA probably already injected a vulnerability into the algorithm right in front of everyone's face and no one noticed.
Defund the CIA and put them in gitmo. Worst thing we ever produced. As long as they continue to exist, the entire world has a CIA problem.
What is "gitmo"?
Right, and people could have done that 25+ years ago. PGP debuted in 1991.
When's the last time you received an encrypted email?
Heck, when's the last time you saw a digitally-signed one?
That's where we carry out our most blatant human rights violations. Where we detain people indefinitely or without clear end and justify it all in secret courts where we're supposed to just trust that mostly unelected officials are making morally and legally sound decisions. Typically people who aren't protected by the US constitution as they aren't citizens, though we can't really audit the records to ensure compliance with that.
Absolutely, except for a small detail: it's the NSA that taints and corrupts crypto algorithms wherever possible (not the CIA). That's why quite a few of my colleagues call NIST "no such agency", meaning that there is no NIST, just a NSA outpost calling itself NIST and doing the NSA's bidding.
AFAIC I avoid any NIST tainted algo but then I more often than not don't need FIPS certification (which btw boils down to 'you actually have very poor security but hey, you get a nice certificate').
Yes, my last attempt to motivate a lawyer - that is, someones whose job regularly is to deal with sensitive information - to use PGP, which I even installed for him on his computer, failed miserably and ended in him refusing and declaring "that's way too complicated!".
It's unfortunate the email provider is being ordered to do this, as it's just the stepping stone for government invasion into encrypted mail. Never trust the government to not abuse something once legal authority has been granted once.
That's...one way of interpreting things.
Guantanamo Bay. It's land the US has owned on the tip of Cuba since the Spanish-American War.
I think @jar is a sort of low-end Bourne...
Please don't tell me the new workflow includes pulling out a terminal and "gpg --decrypt". Most software otherwise should have an easy button or checkbox somewhere before sending and that's all no ?
Last I check they only took card payment (which fingerprint you, invasive, trackable), as "privacy first" email provider?
Private but not anonymous I guess.
That does seem to be a fairly valuable factor to differentiate by, now that you mention it.
So, USB 2 FS?
I won't comment (but I have a dirty smirk on my ugly face) ...
That wasn't the problem. He just found the whole concept - and implementation! - way too unintelligible and couldn't wrap his brain around it.
Really? Plenty of lawyers in Canada use PGP to transmit case-sensitive information. At the very least they'll do an AES-encrypted ZIP or a Veracrypt volume. Numerous court records reference that there is an agreement that xyz lawyer will transmit via PGP/Veracrypt/etc.
there is my TLS-Mail.com exists
In general, German telecommunications law (TKG) does NOT allow to monitor all users at once - however, thats how the translation misleads the facts written down in the article. Its questionable if the TKG applies for Tutanota, as the law itself, orients more likely on ISPs (which they are not).
The court order was for a single mailbox from which, blackmailing was coming from. German judge has to act always in proportionality.
Unencrypted emails can be also read by wiretapping all tutanota servers (als long as there is no TLS), which would even comply with the TKG and Tutanota wouldnt know, because their provider would be forced to not let them know. I guess that wouldnt be better.
The most likely issue in that case is, that if Tutanota doesnt comply with the court order, they can be fined or even go to jail at some point.
No serious email service provider will take on that risk for bad behaving, criminal users, which even dont pay a cent.
This will render their main service advantage - private email compromised and no longer respectable. Shitty situation with no good exits.
I think it's a bit gullible to look at the court rulings in these situations, every email provider with large numbers, in every single country is potentially monitored by that country's government, its allies and those who do counterintelligence. Espionage and counterintelligence it is applied by all nations, and it is the secret services that do that, not the courts, the ordinary courts get involved sometimes because someone tries to hack through that channel, a mine of private information such as emails, governments just take them, there is not only the CIA or NSA, every country has similar realities, even germany and switzerland, privacy does not exist in emails, if you want privacy try to encrypt messages in the most advanced way possible, is the best that can be done.
I happen to know through a former project that some professional associations in some countries did or do care about such problems and sometimes even have some software developed to make the use of e.g. communication encryption easier and/or to support or even implement national standards e.g. how tax advisers have to communicate and/or exchange data with the tax authorities. I don't know the canadian situation however.
I do know however that in multiple european countries there is no such support or it's not standardized. And what I said really happened that way.
Yet, exactly that seems to be what happened. That court did say that that law does apply to Tutanota. Besides that law is much hated in the country and ridiculously questionable.
Well, he did not. In fact he carelessly stepped over it and destroyed it by taking away any and all protection from thousands of Tutanota clients in order to eavesdrop on one - and well noted not even because of CP or terrorism but in an alleged blackmailing case.
Anyway, If any one email provider can be victimized by arbitrarily applying laws for carriers and providers, then all service providers of pretty much any kind can be arbitrarily victimized and all privacy and protection of citizens is null and void.
And from what reactions so far show that is what Tutanota users take it to mean. They are leaving in droves.
Proportionality? My a__! What that court and judge did is about as proportional as dropping bombs on a town because someone there is presumed to have stolen a bicyle - and that on multiple levels. To name just a few:
IF Tutanota does not store them encrypted. That may or may not be the case, I don't know.
If someone on saudi arabian territory does not comply with arbitrary edicts of some imam his hands or even his head might be cut off. Nobody will take that risk. Congrats, you just described a banana republic or a third rate regime.